Government Staffing Agencies – Here’s How to “Right-Size” CMMC Level 3

Government Staffing Agencies – Here’s How to “Right-Size” CMMC Level 3

Reading Time: 3 minutes

Last Updated on April 10, 2021

Government staffing agencies may not handle the same types of sensitive data that manufacturers and other firms in the US Department of Defense (DoD) supply chain typically do. But you’ll still need to meet the Cybersecurity Maturity Model Certification (CMMC) requirements your contract specifies.

In fact, a growing number of staffing companies are being asked to comply with CMMC Level 3—the level required to process Controlled Unclassified Information (CUI). Why? Because a number of CMMC Level 3 controls have been deemed legitimately “in scope” for their environments.

If this is your fate, it’s not all bad news. CMMC Level 3 certification could be a big competitive differentiator for future government contracts.

Further, you may be able to strategically “right-size” your CMMC Level 3 compliance effort, as Pivot Point Security CISO and Managing Partner, John Verry, explains in a recent episode of The Virtual CISO Podcast. This show focuses specifically on what government staffing agencies need to know about CMMC.

“The way you would handle this if you were going to proceed towards CMMC Level 3, and you thought many of the controls didn’t make sense for you to implement… To do that properly, you conduct a risk assessment,” shares John. “You say which risks are in play and which aren’t. And then you use that [risk assessment] to substantiate why certain controls are not applicable in your environment.”

“And that would get documented in your government staffing agencies right level